CVE-2025-24054 specifically involves the external control of file names or paths in Windows, allowing malicious actors to trigger SMB (Server Message Block) authentication requests that leak NTLMv2-SSP hashes during routine file operations. Check Point told Cyber Security News that once victims downloaded and interacted with these files, such as unzipping or clicking them, the exploit was triggered, leading to the leak of NTLM hashes. This vulnerability, related to NTLM (New Technology LAN Manager) authentication protocols, has become a significant threat, enabling attackers to leak NTLM hashes and potentially escalate privileges or move laterally within compromised networks. The flaw is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, which causes Windows Explorer to initiate an SMB authentication request to a remote server. The exploitation of CVE-2025-24054 exemplifies how attackers leverage seemingly benign file operations to leak sensitive authentication hashes, facilitating deeper infiltration into target networks. As threat actors continue to refine their tactics, organizations must prioritize timely patching, robust network security, and user education to defend against such sophisticated spoofing and hash disclosure attacks. One notable campaign involved distributing malicious files via email links from Dropbox, which, when interacted with, exploited the vulnerability to leak hashes. When a user extracts such an archive, Windows initiates SMB authentication requests to remote servers specified within the malicious files. These campaigns targeted government and private institutions, primarily in Poland and Romania, using spear-phishing emails containing ZIP archives and embedded malicious files. Notably, the exploit can be triggered with minimal user interaction, such as right-clicking, dragging, dropping, or simply navigating to a folder containing the malicious file. These connections exposed NTLMv2-SSP hashes, which attackers could then use to perform pass-the-hash attacks, relay attacks, or escalate privileges within the network. The collected hashes were sent to malicious SMB servers hosted in various countries, including Russia, Bulgaria, the Netherlands, Australia, and Turkey. These requests leak NTLMv2-SSP hashes without requiring extensive user interaction, making the attack particularly insidious.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 14:25:17 +0000